{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40024", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:35:50.657Z", "datePublished": "2026-04-08T21:35:20.662Z", "dateUpdated": "2026-04-09T18:13:37.338Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:20.662Z"}, "title": "Sleuth Kit tsk_recover Path Traversal", "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries."}], "tags": ["x_open-source"], "datePublic": "2026-02-28T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.14.0", "versionType": "custom"}, {"status": "unaffected", "version": "a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b", "versionType": "git"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}}], "references": [{"url": "https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b", "tags": ["patch"], "name": "Patch Commit"}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Sleuth Kit tsk_recover Path Traversal", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:12:19.473427Z", "id": "CVE-2026-40024", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:13:37.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40024", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T18:12:19.473427Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:13:20.720Z"}}], "cna": {"tags": ["x_open-source"], "title": "Sleuth Kit tsk_recover Path Traversal", "credits": [{"lang": "en", "type": "finder", "value": "Mobasi Security Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.14.0"}, {"status": "unaffected", "version": "a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-28T00:00:00.000Z", "references": [{"url": "https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal", "name": "VulnCheck Advisory: Sleuth Kit tsk_recover Path Traversal", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:20.662Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40024", "state": "PUBLISHED", "dateUpdated": "2026-04-09T18:13:37.338Z", "dateReserved": "2026-04-08T13:35:50.657Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-08T21:35:20.662Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries."}], "id": "CVE-2026-40024", "lastModified": "2026-04-08T22:16:22.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:22.430", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b"}, {"source": "disclosure@vulncheck.com", "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "sleuthkit", "source": "cna", "vendor": "sleuthkit"}, "product": "the_sleuth_kit", "vendor": "sleuthkit"}], "analysis": {"en": {"generated_at": "2026-04-08T22:24:53.958356+00:00", "value": {"mitigation_remediation": ["Upgrade the Sleuth Kit to version 4.15 or newer, which contains the path traversal fix.", "If an upgrade is not immediately possible, apply the patch from the GitHub commit a3f96b3bc36 or consult the project for a backport.", "Restrict execution of tsk_recover to trusted environments and avoid processing untrusted filesystem images."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The flaw affects the Sleuth Kit software suite, specifically versions up to and including 4.14.0 released by the Sleuth Kit project. Users running any of these versions on any operating system are susceptible when processing untrusted or malicious filesystem images with tsk_recover.", "description_and_impact": "The vulnerability in the Sleuth Kit tsk_recover utility allows an attacker to write files to arbitrary locations outside the intended recovery directory. By inserting path traversal sequences such as '/../' into filenames or directory paths within a crafted filesystem image, an attacker can cause tsk_recover to create or overwrite files in protected locations. This flaw, identified as CWE-22, can lead to unauthorized file creation or modification, potentially enabling code execution if critical system files, shell configuration, or cron entries are overwritten.", "risk_and_exploitability": "The CVSS score of 8.4 indicates high severity. The absence of an EPSS score and its exclusion from the CISA KEV list suggest that public exploitation may not yet be observed, but the high impact and local nature of the flaw make it a serious concern for administrators who run tsk_recover with elevated privileges. The attack vector is inferred to be local, requiring the attacker to execute tsk_recover against a crafted image; therefore, the vulnerability is most relevant to users who deploy the tool in environments where untrusted images could be processed."}}}}, "created": "2026-04-09T08:16:32.663316+00:00", "updated": "2026-04-09T08:25:58.540101+00:00", "vendors": ["sleuthkit", "sleuthkit$PRODUCT$the_sleuth_kit"]}